The client presented a valid XML token, but an error occurred during the attempt to generate a Windows NT token from the ...

Windows Server 2008

The client presented a valid XML token, but an error occurred during the attempt to generate a Windows NT token from the client's user principal name (UPN) or e-mail claim. The error code was %3. 
Token ID: %4 
Issuer: %5 
Identity: %6 
Error code: %3 

User Action 
Ensure that a shadow account exists for the user. 

Ensure that the user's shadow account is functional; that is, the account is not disabled, not locked out, and has been granted the network logon right to this computer. 
If this computer is joined to a domain that is operating at the Windows 2000 functional level, ensure that the service account for the AD FS authentication service ('%2') belongs to the Pre-Windows 2000 Compatible Access group. 
If this computer is joined to a domain that is operating at the Windows Server 2003 functional level, ensure that the service account for the AD FS authentication service ('%2') belongs to the Windows Authorization Access group or the Pre-Windows 2000 Compatible Access group.

The client presented a valid XML token, but a Windows NT token could not be produced because the token contains neither a ... The client presented a valid XML token, but a Windows NT token could not be produced because the token contains neither user ... The client presented a valid XML token, but an error occurred during the attempt to generate a Windows NT token from the ... The client presented a valid XML token, but an error occurred during the attempt to generate a Windows NT token from the ... The client presented a valid XML token, but an error occurred during the attempt to generate a Windows NT token from the ... The client presented a valid XML token, but an error occurred when generating a Windows NT token from the Active Direcotry ... The client presented an invalid inbound token as evidence. Ensure that a verification certificate corresponding to the token-signing ... The client presented an invalid inbound token as evidence. The token contained Active Directory Domain Services security ... The client presented an invalid inbound token as evidence. The token contained invalid Active Directory Domain Services security ...